Information Security Policy
This policy was adopted by the Board of Directors of Armagh Credit Union Limited.
Signed:-
Position ______
Position ______
Date:
Armagh Credit Union is authorized and regulated by the Financial Conduct Authority and Prudential Regulation Authority: Registration Number 573925: Version Dec2015
Armagh Credit Union
Purpose
This Information Security policy addresses the need for managing information security within the credit union by creating awareness of security threats, taking preventative measures to mitigate security threats and continually assessing such preventative measures. Other related policies are:
Ø Management Information Policy
Ø Internet Policy
Ø Business Continuity Policy
Ø Data Protection Policy
Introduction
The credit union holds a significant amount of information within it’s technology systems including member, transaction, investment and employee information to name a few. The security of this information is considered to be as important as the security of the cash that the credit union holds. As technology has become a core component of financial institution operations, some criminals have resorted to ‘cyber attacks’ using computers rather than physical robberies. In many cases the keyboard has now become more powerful than the firearm.
Information security is an integral part of credit union governance. Ownership and accountability rests with the board of directors. Information security shall not be delegated to an external IT supplier; it is understood and embraced by the credit union itself.
Maintaining information security is not free. Adequate funding must be provided subject to the nature, scale, complexity and risk profile of the credit union while still safeguarding that value for money is achieved.
Effective security ensures the confidentiality, accuracy and availability of credit union information by maintaining awareness and proactively taking action to alleviate security threats.
Information Security Threats
Any threat to the security of credit union information has the potential to disrupt credit union operations, expose sensitive records or data to third parties and place the credit union at a financial loss.
Technology has vastly improved the provision of financial services to members, however it also brings technical sources of security threats to the credit union. Technology systems must be maintained by qualified IT professionals to ensure their integrity and ability to resist attack In turn, IT professionals and IT suppliers must be evaluated to ensure that best practice is being applied in relation to information security.
Security threats can also arise from non-technical sources such as changes to credit union operations. Both existing and new staff members who take on new roles must be made aware of security considerations related to their role. Attention must also be given to the impact on information security when business processes are changed. New business locations will have unique physical security requirements. New products or services offered to members may also have specific security threats that must be respected.
Preventing Information Security Breaches
Training and Awareness
In order to minimise security threats and prevent security breaches it is essential that all credit union officers understand and embrace information security risks relevant to their role. Potential security threats shall be communicated to all personnel in a simple and concise manner that assists their understanding of possible vulnerabilities. In addition, personnel will be afforded the opportunity to gain clarity regarding such threats as needed.
Roles and responsibilities
All credit union officers are responsible for understanding information security risks relevant to their role and to communicate newly identified risks as they arise.
The Manager and an appointed Director shall be assigned as the ‘Information Security Officers’ with responsibilities to:
Ø Act as the internal point of contact for information security issues.
Ø Co-ordinate information security related communications including reports issued to the board of directors.
Ø Control access to credit union systems by managing authentication credentials such as user names and passwords.
Physical Security
Credit Union information is at risk of being lost or exposed through theft of Information System devices. Physical security measures remain as important as technical measures for the protection of credit union information. Physical access to core information systems such as savings & loans servers or file servers shall be restricted to authorised personnel only. Where possible, core information systems shall be locked in a separate room. Otherwise they shall be installed in a locked rack or computer cabinet. Backup tapes and other backup media shall be stored in a similar fashion off-site. When not in use, computers and laptops should be tethered to office tables using security cables. Particular attention should be paid to providing physical security for hardware and software that is designated as being a critical asset.
Acceptable usage of information systems
Credit union servers, laptops, computers, mobile devices and other technologies are used to conduct credit union business operations. Exposure of any single device to a security threat has the potential to disrupt entire credit union operations, expose sensitive records or data to third parties and place the credit union at a financial loss. Consequently, if credit union officers are unsure as to whether an action will place the credit union at risk they must seek advice from a qualified IT professional in advance of taking such action. Such actions may include:
Ø Accessing previously unvisited websites
Ø Downloading or installing new software (especially free software)
Ø Opening unsolicited or unusual emails
Ø Inserting unfamiliar removable media such as a USB key into a computer
Classification of data
Some data stored on credit union information systems is of higher importance than other data. Particular attention shall be paid to the following types of data:
Ø Personal data - any data that can identify an individual.
Ø Sensitive personal data - any data that can identify an individual and provide additional information about them such as race, health etc.
Ø Confidential data – any data that is believed to be confidential to the credit union’s business.
Data should be categorised so that the importance of specific sets of data is noted and more stringent security rules can be applied based on this level of importance. The storage of personal data, sensitive personal data and confidential data on laptop computers and mobile devices should be avoided.
Encryption
The use of encryption can further mitigate the risk of exposing sensitive or confidential data. Depending on its importance, data should be encrypted to prevent unauthorised access. Data can be encrypted in two ways:
· Encryption at rest – in this scenario, typically the entire device is encrypted and access to the data is only available through the use of an additional password. The credit union shall ensure that (at a minimum) all laptops, mobile devices, USB keys and backup tapes are encrypted in this manner.
· Encryption in transit – in this scenario the security of important data must be assured when the data is being transmitted outside of the credit union. This includes the electronic transmission of confidential data to board directors when they are not in the credit union offices and to third parties such as solicitors, the ILCU, ECCU etc. Important data shall be secured during transmission through the use of encrypted email, encrypted websites and other methods.
Controlling access to data
Data held on credit union information systems should not be accessible by all personnel. Access to data shall be provided on a “least privileged” basis, where credit union officers only have access to the data required to fulfil their role and no more.
Credit union officers shall not share passwords or other authentication credentials. Unique credentials shall be provided to each individual. Passwords must be complex and use a combination of letters, capital letters and numbers.
Remote access to the credit union should be further restricted through the use of ‘two-factor authentication’. The use of such technology increases security by requiring credit union personnel to make use of both a password (something they know) and a mobile phone (something they have) for example. Two factor authentication reduces the risk of criminal accessing credit union information systems by simply knowing or guessing the password.
Access to credit union technology systems by third parties (such as IT consultants or suppliers) shall be provided in a controlled manner, on a per-session basis and on least privileged basis. Third parties shall not have permanent knowledge of passwords for credit union information systems. For essential third party access, the Information Security Officer shall provide an appropriate username and password when access is required. To ensure that access to credit union information systems remains in the control of credit union officers, passwords issued to third parties shall be changed immediately upon completion of the relevant task.
Technical security
The management of vulnerabilities within credit union Information Systems is an on-going process. New weaknesses within operating systems, hardware devices and software applications are identified on a weekly basis. Vendors regularly issue updates and security patches to improve the security of their products. The credit union shall ensure that all updates and security patches are continually applied to its Information Systems. The credit union shall also ensure that IT professionals exercise due diligence so that updates and patches are analysed and subjected to appropriate levels of testing prior to implementation.
Computer viruses & malware are the most common method used to exploit vulnerabilities. In addition to security patching the credit union shall also ensure that suitable anti-virus software is installed and current on all information systems including servers, laptops, computers and mobile devices. An anti-spam solution should be in place to reduce the risk of malicious software attacks through email.
Vulnerabilities may also be exploited if the credit union exposes its information systems to the public Internet. The credit union must be protected by a secure firewall that controls access to its information systems.
Disposal of information systems
Credit union information systems have a working life cycle and ultimately get replaced when they reach the end of that cycle. Information systems due for disposal may still hold important data. Such systems include servers, laptops, computers, mobile devices, backup tapes and USB keys amongst others. When disposing of out-dated information systems, credit unions shall ensure that data residing on these systems is destroyed. Credit unions must evaluate firms offering a disposal service to ensure that they are employing best practice and should only consider using service providers that offer a certificate of destruction.
Security Assessment
The pro-active approach to preventing information security breaches must also be reviewed regularly by conducting a security assessment. The assessment will identify any new risks and security measures that should be amended to control these risks. A security assessment is typically triggered during the following events:
Ø A change to a business process, such as a new loan approval process.
Ø Addition of a new service for members, such as an Internet banking or debit card service.
Ø Addition of new technology to support new or existing services.
Ø Engagement with a new technology service provider.
An event triggered security assessment may focus on a specific area of credit union operations. In addition to the above, a full security assessment of all credit union operations shall be conducted on an annual basis.
The full security assessment shall review the potential for security threats arising from both technical and non-technical sources and shall include the following at a minimum:
Ø A policy audit, used to clarify that credit union officers are adhering to documented credit union policies.
Ø A risk assessment, used to re-confirm the existence of previously identified security threats and to identify new security threats, determine the likelihood of that threat occurring and identify measures to mitigate the threat in advance of it taking place.
Ø A penetration test, used to determine the capability of unauthorised access to Information Systems from locations both internal and external to the credit union. Penetration tests must be conducted by suitably qualified, independent security professionals that have no other involvement with credit union operations. The penetration test should be conducted at least every 12 months by a security professional who no other commercial business with the credit union. The credit union must carefully evaluate such professionals to ensure that they do not pose a security threat themselves.
Reacting to a security breach
In the unfortunate event that a security breach does occur the Information Security Officers shall implement an incident management process to determine the immediate next steps to be taken. It is likely that the Information Security Officer will require the assistance of suitably qualified IT professionals for this purpose. Initially the incident management process shall establish evidence of possible data loss or exposure and notify relevant stakeholders of the security breach in a timely manner. Immediate efforts shall be made to prevent a reoccurrence of the breach and to recover lost or exposed data where possible. If the security breach has a negative impact on normal business operations, consideration must then be given to implementing the credit union’s business continuity plan.
Reporting to board of directors
The following information security reports shall be made available to the board of directors.
Information Security Assessment Report
This report will be issued to board of directors on an annual basis and shall include:
Ø The results of any event-triggered security assessments undertaken during the past 12 months.
Ø The findings of the policy audit detailing staff adherence to documented credit union policies.
Ø The findings of the risk assessment confirming the existence of previously identified and new security threats and the actions taken to mitigate such threats.
Ø The results of the penetration test and the actions taken to mitigate any technical vulnerability identified.
Incident Management Report
This report, issued to board of directors will be triggered by the detection of a security breach and shall include:
Ø The date and time of security breach
Ø A list of potentially impacted information systems
Ø Evidence of possible data loss or exposure